dcrat | 774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Size

2.2MB
MD5

889f050ef7bc85238ef3ba17c1ca8530
SHA1

5168769f30a3efbf81ec2174c84d4290882b4c08
SHA256

774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d
SHA512

4a7c67efba35f6e12d2953466e8e7b3a05254ae1fc0cfd43cb16d9cb50bc4e69bdfb44d25d8555b36d7a6096a8a3c8c160de1cd03ee022c5a57681c59c7bf0ef
SSDEEP

49152:ssSHlG56vO0T3/Nh/ptuw/C3TqGaDxr1NcWTMUvif:sLlK6d3/Nh/bV/Oq3Dxp2RUG

Score

10^/10

dcrat defense_evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Migration\\WTR\\spoolsv.exe\", \"C:\\Users\\Admin\\Recent\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files\\Windows Media Player\\StartMenuExperienceHost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Migration\\WTR\\spoolsv.exe\", \"C:\\Users\\Admin\\Recent\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files\\Windows Media Player\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\fontdrvhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Migration\\WTR\\spoolsv.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Migration\\WTR\\spoolsv.exe\", \"C:\\Users\\Admin\\Recent\\fontdrvhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Migration\\WTR\\spoolsv.exe\", \"C:\\Users\\Admin\\Recent\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Migration\\WTR\\spoolsv.exe\", \"C:\\Users\\Admin\\Recent\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Migration\\WTR\\spoolsv.exe\", \"C:\\Users\\Admin\\Recent\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	4340	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	4340	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	4340	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	4340	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	4340	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	4340	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	4340	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	4340	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	4340	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	4340	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	4340	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	4340	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	4340	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	4340	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	4340	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	4340	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4340	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	4340	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	4340	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	4340	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	4340	schtasks.exe	83

UAC bypass 3 TTPs 12 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4024-1-0x0000000000850000-0x0000000000A7E000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b85-41.dat	dcrat
behavioral2/files/0x000b000000023b7b-95.dat	dcrat
behavioral2/files/0x000d000000023b90-116.dat	dcrat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 3 IoCs

pid	Process
4608	fontdrvhost.exe
3048	fontdrvhost.exe
4560	fontdrvhost.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\fontdrvhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Windows Media Player\\StartMenuExperienceHost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Windows Media Player\\StartMenuExperienceHost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Migration\\WTR\\spoolsv.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\fontdrvhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Migration\\WTR\\spoolsv.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Admin\\Recent\\fontdrvhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Admin\\Recent\\fontdrvhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\fontdrvhost.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Program Files\Windows Media Player\StartMenuExperienceHost.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\5b884080fd4f94	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Program Files\Windows Media Player\RCX7FCC.tmp	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Program Files\Windows Media Player\StartMenuExperienceHost.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\RCX81D1.tmp	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Program Files\Windows Media Player\55b276f4edf653	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\fontdrvhost.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Program Files\Windows Media Player\RCX7F4E.tmp	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\RCX81D2.tmp	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Migration\WTR\RCX730F.tmp	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Windows\Migration\WTR\RCX7310.tmp	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Windows\Migration\WTR\spoolsv.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Windows\Migration\WTR\spoolsv.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Windows\Migration\WTR\f3b6ecef712a24	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	fontdrvhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1848	schtasks.exe
3624	schtasks.exe
2228	schtasks.exe
3836	schtasks.exe
1492	schtasks.exe
1588	schtasks.exe
5116	schtasks.exe
4960	schtasks.exe
1132	schtasks.exe
4904	schtasks.exe
1920	schtasks.exe
1700	schtasks.exe
3636	schtasks.exe
2756	schtasks.exe
1228	schtasks.exe
636	schtasks.exe
4540	schtasks.exe
2252	schtasks.exe
1652	schtasks.exe
3516	schtasks.exe
1988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe
4608	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Token: SeDebugPrivilege	4608	fontdrvhost.exe
Token: SeDebugPrivilege	3048	fontdrvhost.exe
Token: SeDebugPrivilege	4560	fontdrvhost.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 4608	4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe	106
PID 4024 wrote to memory of 4608	4024	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe	106
PID 4608 wrote to memory of 536	4608	fontdrvhost.exe	111
PID 4608 wrote to memory of 536	4608	fontdrvhost.exe	111
PID 4608 wrote to memory of 3432	4608	fontdrvhost.exe	112
PID 4608 wrote to memory of 3432	4608	fontdrvhost.exe	112
PID 536 wrote to memory of 3048	536	WScript.exe	124
PID 536 wrote to memory of 3048	536	WScript.exe	124
PID 3048 wrote to memory of 4344	3048	fontdrvhost.exe	126
PID 3048 wrote to memory of 4344	3048	fontdrvhost.exe	126
PID 3048 wrote to memory of 1536	3048	fontdrvhost.exe	127
PID 3048 wrote to memory of 1536	3048	fontdrvhost.exe	127
PID 4344 wrote to memory of 4560	4344	WScript.exe	130
PID 4344 wrote to memory of 4560	4344	WScript.exe	130
PID 4560 wrote to memory of 724	4560	fontdrvhost.exe	132
PID 4560 wrote to memory of 724	4560	fontdrvhost.exe	132
PID 4560 wrote to memory of 1660	4560	fontdrvhost.exe	133
PID 4560 wrote to memory of 1660	4560	fontdrvhost.exe	133

System policy modification 1 TTPs 12 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
"C:\Users\Admin\AppData\Local\Temp\774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4024
- C:\Program Files (x86)\Windows Media Player\es-ES\fontdrvhost.exe
  "C:\Program Files (x86)\Windows Media Player\es-ES\fontdrvhost.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4608
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e0315ec-4e4c-416e-93fd-bf30bc57cc53.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Program Files (x86)\Windows Media Player\es-ES\fontdrvhost.exe
      "C:\Program Files (x86)\Windows Media Player\es-ES\fontdrvhost.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3048
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25dc55b8-14ab-4783-bafd-b26dd5e7d086.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4344
      - C:\Program Files (x86)\Windows Media Player\es-ES\fontdrvhost.exe
        
        "C:\Program Files (x86)\Windows Media Player\es-ES\fontdrvhost.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b62518f9-9e43-4a40-95e1-8b75338723b7.vbs"
        7⤵
        
        PID:724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\371973a3-547e-46b6-be7f-0c9dc8eec497.vbs"
        7⤵
        
        PID:1660
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7cedcc5-46b2-412f-bba8-952867fb037f.vbs"
        5⤵
        
        PID:1536
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5187071-9420-4e99-b4d5-b27adbc403d3.vbs"
    3⤵
    PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Recent\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Recent\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Recent\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Media Player\StartMenuExperienceHost.exe

Filesize
2.2MB

MD5
3c5fc886fe8abd94311259d5512b9351

SHA1
71d0fbd817b939d8d62bc50613972875366cb986

SHA256
e2f530e1de7766a413cfd0cf168cc22fd8af57c5d2ec4ab4d8559eac2b7eca4f

SHA512
ad24c602972d8c9f5b1b27910b605615c5fe91a43be4bacf434d490632567f1063aab6de5e1f26e92af669ece9a349da108b4a836ab2a7eb0517738a45e470fa

Download Submit
C:\Recovery\WindowsRE\Idle.exe

Filesize
2.2MB

MD5
889f050ef7bc85238ef3ba17c1ca8530

SHA1
5168769f30a3efbf81ec2174c84d4290882b4c08

SHA256
774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d

SHA512
4a7c67efba35f6e12d2953466e8e7b3a05254ae1fc0cfd43cb16d9cb50bc4e69bdfb44d25d8555b36d7a6096a8a3c8c160de1cd03ee022c5a57681c59c7bf0ef

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
2.2MB

MD5
55bcc33cc17744fc9325e88f1d0b1455

SHA1
262779e071c414c38c2e21de8bab24b8ed038273

SHA256
547abc694287165281803832d16138c35cf0a8d8f9cd80fee0f0436d336b2f78

SHA512
cc0a946bf2cfc6ac6467112262a8aca9cdc360bce4b9b1f7eee4e42419d7bf2ea507712f73edd241a5eadec5c8dc49b10ac04738ec18c836b787b3339316610d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
49b64127208271d8f797256057d0b006

SHA1
b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

SHA256
2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

SHA512
f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\25dc55b8-14ab-4783-bafd-b26dd5e7d086.vbs

Filesize
741B

MD5
99114cf6b1297f69c0cdea5cc87be0c2

SHA1
3dd87a5806cfa4c202db8417e3a2cf97cb9ce588

SHA256
9c3527d89c07edb8c078f86aa42bde134e24d9674abdd90ef27c15e9e823ddcd

SHA512
9222fa5435fe1fa026af8097aa7edf521e492ba12837359049b809bafb663349a3cf2c2596a23e9b771bc030ff26a5884091b87467e5c9233de08a6f13c6f2f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e0315ec-4e4c-416e-93fd-bf30bc57cc53.vbs

Filesize
741B

MD5
2b40724f95838bd2448d6ac4f1f16cf5

SHA1
6e272b1ba7e7d89fcdb5f803e32864c6c3439b7d

SHA256
6472e644bb09bdadc8cff126112be41d51d90d5c17f523c725979fec765286d3

SHA512
9f0a58d049b5ad8126a05e4d9711d4e198ee945b85b8982695184677786f434f3cc73ad0c2a60e0ab92790fde0a92f139b468ba363b51c424aa20255c07aaef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b62518f9-9e43-4a40-95e1-8b75338723b7.vbs

Filesize
741B

MD5
3ccdaf7187b6ce7927ae7c8f5f5ef12c

SHA1
db3726d0cd406a7b4b3144d4f4fddffcce9eff67

SHA256
842de7f7005085e3ba9fd5d33c8ea89967de5cedc89c78908f3416554c0bb6b6

SHA512
a30770b1f816a5df86ef13ec8dc9989576d07eec0dd7ce0513895efa416690d9798b7bcf0bb8f81ad061c9a5b5e0da51503f2fbd8015c19748b8ab333ad2f9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5187071-9420-4e99-b4d5-b27adbc403d3.vbs

Filesize
517B

MD5
441028fe2803ee78f788891b19281005

SHA1
4498f3f27df6122ba842e5a9f4d7952adaa98615

SHA256
61e90b4a0d2ea19a53433a5c2ceec84e0fec54f5b2b8a35e70050403a6da8bf8

SHA512
52ecac076de6785c649bdf44f509fcc5771b7aada06ed46f1be0267bb91fb3fdbdf991eeb5170a983a2dec8e08ddb96ac9ab590524023ef4e91e44cee8e5d9bb

Download Submit
memory/4024-21-0x000000001BE10000-0x000000001BE1C000-memory.dmp

Filesize
48KB

Download
memory/4024-29-0x000000001C0D0000-0x000000001C0D8000-memory.dmp

Filesize
32KB

Download
memory/4024-7-0x0000000002DF0000-0x0000000002DF8000-memory.dmp

Filesize
32KB

Download
memory/4024-11-0x0000000002E40000-0x0000000002E48000-memory.dmp

Filesize
32KB

Download
memory/4024-12-0x000000001B780000-0x000000001B790000-memory.dmp

Filesize
64KB

Download
memory/4024-13-0x0000000002E50000-0x0000000002E5A000-memory.dmp

Filesize
40KB

Download
memory/4024-14-0x000000001B790000-0x000000001B79C000-memory.dmp

Filesize
48KB

Download
memory/4024-15-0x000000001B7A0000-0x000000001B7A8000-memory.dmp

Filesize
32KB

Download
memory/4024-16-0x000000001B7B0000-0x000000001B7BC000-memory.dmp

Filesize
48KB

Download
memory/4024-17-0x000000001BDD0000-0x000000001BDD8000-memory.dmp

Filesize
32KB

Download
memory/4024-19-0x000000001BDE0000-0x000000001BDF2000-memory.dmp

Filesize
72KB

Download
memory/4024-20-0x000000001C340000-0x000000001C868000-memory.dmp

Filesize
5.2MB

Download
memory/4024-0-0x00007FFB80F43000-0x00007FFB80F45000-memory.dmp

Filesize
8KB

Download
memory/4024-22-0x000000001BE20000-0x000000001BE2C000-memory.dmp

Filesize
48KB

Download
memory/4024-23-0x000000001BE30000-0x000000001BE3C000-memory.dmp

Filesize
48KB

Download
memory/4024-25-0x000000001BF50000-0x000000001BF5E000-memory.dmp

Filesize
56KB

Download
memory/4024-28-0x000000001C0C0000-0x000000001C0CC000-memory.dmp

Filesize
48KB

Download
memory/4024-10-0x0000000002E30000-0x0000000002E3C000-memory.dmp

Filesize
48KB

Download
memory/4024-31-0x000000001C0E0000-0x000000001C0EC000-memory.dmp

Filesize
48KB

Download
memory/4024-32-0x00007FFB80F40000-0x00007FFB81A01000-memory.dmp

Filesize
10.8MB

Download
memory/4024-27-0x000000001C0B0000-0x000000001C0BE000-memory.dmp

Filesize
56KB

Download
memory/4024-26-0x000000001BF60000-0x000000001BF68000-memory.dmp

Filesize
32KB

Download
memory/4024-24-0x000000001BF40000-0x000000001BF4A000-memory.dmp

Filesize
40KB

Download
memory/4024-30-0x00007FFB80F40000-0x00007FFB81A01000-memory.dmp

Filesize
10.8MB

Download
memory/4024-8-0x0000000002E00000-0x0000000002E10000-memory.dmp

Filesize
64KB

Download
memory/4024-9-0x0000000002E10000-0x0000000002E26000-memory.dmp

Filesize
88KB

Download
memory/4024-6-0x000000001B730000-0x000000001B780000-memory.dmp

Filesize
320KB

Download
memory/4024-191-0x00007FFB80F40000-0x00007FFB81A01000-memory.dmp

Filesize
10.8MB

Download
memory/4024-5-0x0000000002DD0000-0x0000000002DEC000-memory.dmp

Filesize
112KB

Download
memory/4024-4-0x0000000002DC0000-0x0000000002DCE000-memory.dmp

Filesize
56KB

Download
memory/4024-3-0x0000000002DB0000-0x0000000002DBE000-memory.dmp

Filesize
56KB

Download
memory/4024-2-0x00007FFB80F40000-0x00007FFB81A01000-memory.dmp

Filesize
10.8MB

Download
memory/4024-1-0x0000000000850000-0x0000000000A7E000-memory.dmp

Filesize
2.2MB

Download
memory/4560-215-0x000000001B810000-0x000000001B822000-memory.dmp

Filesize
72KB

Download
memory/4560-226-0x000000001C900000-0x000000001CA02000-memory.dmp

Filesize
1.0MB

Download